2010-10-29

Here are what I thought were the highlights of the DHS ICSJWG fall conference, in addition the opportunity to talk to many ICS security experts:

The Tuesday afternoon Stuxnet sessions – excellent presentations from ICS-CERT, Microsoft, Siemens and Industrial Defender. There was not much new in the presentations, but they did a great job of pulling together everything that was published in many different places over the last several months.

Number 7: Industrial control system vendors no longer tell their clients its their problem to secure their systems.

Number 6: Industrial control system vendors no longer tell their clients their warranty is voided if they try to secure their systems.

I would have liked more details on the Siemens investigations, but the Siemens representative did summarize well the information Siemens had already published.

Ken Sullivan of Microsoft estimated the Stuxnet worm was the work of 5-6 people and represents an investment of at least 10,000 hours of software development, not counting the stolen certificates, the discovery of the zero-days and QA.

The ICSJWG Information Sharing subgroup demonstrated the HSIN portal and how to get access to it.

The R&D subgroup listed about 15-18 topics for which either the DHS had awarded research funds, or was soliciting research proposals for funding.

Perry Pederson of the Nuclear Regulatory Commission gave a nice presentation on new cyber security regulations. Unlike my estimate of how NERC-CIP or CFATS compliant sites would have trouble standing up to an attack like Stuxnet, Perry maintained that a nuclear site compliant with the new regulations, or even one using the older best practices, would have fended off Stuxnet handily.

Ryan O’Neill of Pikewerks presented the results of preliminary research into techniques to protect legacy ICS components. The techniques prevented heavy-duty attacks like buffer overflows, return-oriented stack overflows, and code injection. Ryan has been awarded a DHS grant to take the work much further.

A surprise for me was Tim Roxey, the manager of CIP at NERC, who said NERC had issued a letter to all entities to which CIP applies. The letter instructs the entities to take a number of actions relating to the Stuxnet threat and reply to NERC when those actions are complete. One action is to run one of the Stuxnet detection techniques on all control system hosts, not just “critical assets.” I forgot to ask for a pointer to the letter – the closest thing to a copy I spotted on the internet is at http://www.nerc.com/docs/mrc/agenda_items/AgendaItem_12.d.pdf

I stayed for much of the 1-day introductory DHS training after the conference as well, and conclude the course hasn’t changed much. There is still much more time spent discussing the ICS security problem than is spent discussing solutions. The good news is that a new “intermediate training” course is coming, apparently focused on mitigations & solutions.

Overall I found the conference very much worth attending. There were by my estimate some 200-250 attendees and some excellent presentations. I heard complaints about lack of progress in the subgroups, and had to agree with some of the complaints. If I heard right, there was only one participant registered in the international subgroup. On the other hand, a lot of the documented focus of the ICSJWG is “information sharing” and I am a technologist at heart – I’m not sure I’d recognize “progress in information sharing” if it bit me.

What I did not see, but would like future conferences to have, is better insight into what progress is being made in securing industrial control systems. What fraction of sites have L2/L3 firewalls? Strict egress filtering? How close to fully patched are which fraction of hosts on L2 and L3 networks? What fraction of hosts are so old they are out of support by the vendor? Which vendors have which kind of security integrated into their products? Which have programs to QA patches promptly? The list goes on.

The ICS-CERT plans to produce a summary report of the incidents their fly-away teams are called to, some 14 thus far this year, but did not say when it would be available. That will be one step in the right direction.